Gerald Nash (Louth, Labour)
Link to this: Individually | In context | Oireachtas source

216. To ask the Minister for Finance the progress the Central Bank has been making in ensuring that all retail banks and payment services providers will be ready in time to implement the strong customer authentication requirements of the payment services directive 2 in time for 1 January 2021; if all retail banks will be ready in time; and if he will make a statement on the matter. [43426/20]

Paschal Donohoe (Dublin Central, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The revised Payment Services Directive (PSD2) of 2015 introduced strong security requirements for the initiation and processing of electronic payments, which apply to all payment service providers (PSPs). This approach is intended to reduce the risk of fraud for all types of electronic payments (especially online payments) and to protect the confidentiality of the user’s financial data.

Payment Service Providers are obliged to apply strong customer authentication (SCA) when a payer initiates an electronic payment transaction. Strong Customer Authentication under PSD2 requires the customer to go through two-factor authentication made up of elements from two of three separate categories: knowledge, possession, and inherence. SCA is a combination of something you know (a password or PIN), something you have (a card reader or token generator) and something you are (a fingerprint).

In an Opinion published on 16 October 2019 the European Banking Authority (EBA) set the final deadline for full compliance with SCA requirements at 31 December 2020. The EBA felt that this time should be sufficient for issuing and acquiring payment service providers and their merchants to migrate to SCA-compliant approaches and solutions.

Following the outbreak of Covid-19 earlier this year industry bodies from across the EU, including the Banking and Payments Federation of Ireland (BPFI), wrote to the EU Commission and the EBA seeking a further extension to the deadline for compliance with the SCA requirements. They outlined that Covid-19 was clearly having an impact on all sectors of the EU economy and that industry was unlikely to be able to meet the current deadline of 31 December 2020 for SCA migration.

On 8 December, in an effort to avoid significant disruption to payments, the BPFI announced plans for an industry ramp-up approach for the implementation of SCA. This approach means that payment card issuers will gradually ramp-up to full adoption of SCA, this ramp-up will incorporate value thresholds and the implementation of soft declines when processing card payments. This does not mean that payments for values below the ramp-up thresholds will all be approved and transactions will continue to be closely monitored for possible fraud.

Where a regulated payment service provider (PSP) is in a position to implement the requirements with effect from 1 January 2021, the Central Bank of Ireland expects them to do so, in a manner that does not cause customer detriment.

Through engagements with regulated PSPs on the progress of their SCA migration plans, the Central Bank is aware of some issues around the full implementation of SCA by 31 December 2020. The Central Bank has communicated to these PSPs that they are required to implement the Requirements as soon as possible in a manner that does not cause customer detriment.

As the deadline for SCA implementation approaches, Department officials will continue to work with the Central Bank and BPFI to minimise possible payment disruption experienced by consumers and merchants.